Closed
Bug 1322107
(CVE-2017-5380)
Opened 8 years ago
Closed 7 years ago
heap-use-after-free in nsFrameSelection::MoveCaret
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: nils, Assigned: smaug)
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage][adv-main51+][adv-esr45.7+])
Attachments
(2 files)
|
950 bytes,
patch
|
mccr8
:
review+
dveditz
:
approval-mozilla-aurora+
dveditz
:
approval-mozilla-beta+
dveditz
:
sec-approval+
|
Details | Diff | Splinter Review |
|
968 bytes,
patch
|
dveditz
:
approval-mozilla-esr45+
|
Details | Diff | Splinter Review |
The latest ASAN build of Firefox (BuildID=20161204150411) crashes as follows when loading the testcase.
crash.html:
<script>
function start() {
o6=document.createElement('iframe');
o38=document.createElement('th');
o43=document.createElement('th');
o94=document.createRange();
try{while(document.removeChild(document.firstChild));}catch(e){}
o105=document.implementation.createHTMLDocument();
o105.body.appendChild(o6);
document.appendChild(o105.documentElement);
o121=frames[0];
o122=o121.document;
o122.documentElement.appendChild(o38);
o171=o121.getSelection();
document.documentElement.appendChild(o43);
o38.innerHTML="<svg id><animate attributeName='dominant-baseline'>";
o171.addRange(o94);
o171.modify('move', 'forward','lineboundary');
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==24239==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170001a959b at pc 0x7fd6f8c533e2 bp 0x7ffcde0bc590 sp 0x7ffcde0bc588
READ of size 2 at 0x6170001a959b thread T0 (Web Content)
#0 0x7fd6f8c533e1 in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4171:27
#1 0x7fd6f905bef5 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:970:3
#2 0x7fd6f908abbd in mozilla::dom::Selection::Modify(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6420:8
#3 0x7fd6f5acc819 in mozilla::dom::SelectionBinding::modify(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/SelectionBinding.cpp:710:3
#4 0x7fd6f67e9f30 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2879:13
#5 0x7fd6fcbf885c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#6 0x7fd6fcbf885c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457
#7 0x7fd6fcbf9192 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:10
#8 0x7fd6fc959eac in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#9 0x7fd6fc92941f in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#10 0x7fd6fc936b9f in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#11 0x7fd6fc93934e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#12 0x7fd6fcbf8913 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#13 0x7fd6fcbf8913 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:445
#14 0x7fd6fcbd8bf5 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:508:12
#15 0x7fd6fcbd8bf5 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2919
#16 0x7fd6fcbbd746 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:403:12
#17 0x7fd6fcbf8adc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:475:15
#18 0x7fd6fcbf9192 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:10
#19 0x7fd6fc6ce06d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2830:12
#20 0x7fd6f61fbf1f in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#21 0x7fd6f6c4fa81 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#22 0x7fd6f6c4fa81 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#23 0x7fd6f6c1975d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1133:16
#24 0x7fd6f6c1b1a9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:17
#25 0x7fd6f6c057f3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:463:5
#26 0x7fd6f6c09154 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:820:9
#27 0x7fd6f8d52939 in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1024:7
#28 0x7fd6f9bd218e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7583:5
#29 0x7fd6f9bcdfd4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7387:7
#30 0x7fd6f9bd564f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7284:13
#31 0x7fd6f3e09500 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
#32 0x7fd6f3e08498 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
#33 0x7fd6f3e051ff in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#34 0x7fd6f3e072f4 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
#35 0x7fd6f3e07eac in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
#36 0x7fd6f230c91b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
#37 0x7fd6f4decf8b in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8624:7
#38 0x7fd6f4e9a44f in nsUnblockOnloadEvent::Run() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8577:5
#39 0x7fd6f212966b in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1213:7
#40 0x7fd6f21ad53c in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:381:10
#41 0x7fd6f2f5451f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#42 0x7fd6f2ec27c8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#43 0x7fd6f2ec27c8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#44 0x7fd6f2ec27c8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#45 0x7fd6f8529bdf in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#46 0x7fd6fa712e57 in XRE_RunAppShell /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:924:12
#47 0x7fd6f2ec27c8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#48 0x7fd6f2ec27c8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#49 0x7fd6f2ec27c8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#50 0x7fd6fa7121a7 in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:756:7
#51 0x4dfb5b in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:115:19
#52 0x4dfb5b in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:438
#53 0x7fd70d23d82f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291
#54 0x41ba38 in _start (/home/nils/MonkeyFarm/firefox/firefox+0x41ba38)
0x6170001a959b is located 283 bytes inside of 752-byte region [0x6170001a9480,0x6170001a9770)
freed by thread T0 (Web Content) here:
#0 0x4b218b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7fd6f8c2fcd4 in mozilla::PresShell::Release() /home/worker/workspace/build/src/layout/base/PresShell.cpp:837:1
#2 0x7fd6f8c52f26 in ~nsCOMPtr_base /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:294:7
#3 0x7fd6f8c52f26 in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4165
#4 0x7fd6f905bef5 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:970:3
#5 0x7fd6f908abbd in mozilla::dom::Selection::Modify(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6420:8
#6 0x7fd6f5acc819 in mozilla::dom::SelectionBinding::modify(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/SelectionBinding.cpp:710:3
#7 0x7fd6f67e9f30 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2879:13
#8 0x7fd6fcbf885c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#9 0x7fd6fcbf885c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457
#10 0x7fd6fcbf9192 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:10
#11 0x7fd6fc959eac in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#12 0x7fd6fc92941f in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#13 0x7fd6fc936b9f in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#14 0x7fd6fc93934e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#15 0x7fd6fcbf8913 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#16 0x7fd6fcbf8913 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:445
#17 0x7fd6fcbd8bf5 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:508:12
#18 0x7fd6fcbd8bf5 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2919
#19 0x7fd6fcbbd746 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:403:12
#20 0x7fd6fcbf8adc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:475:15
#21 0x7fd6fcbf9192 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:10
#22 0x7fd6fc6ce06d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2830:12
#23 0x7fd6f61fbf1f in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#24 0x7fd6f6c4fa81 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#25 0x7fd6f6c4fa81 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#26 0x7fd6f6c1975d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1133:16
#27 0x7fd6f6c1b1a9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:17
#28 0x7fd6f6c057f3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:463:5
#29 0x7fd6f6c09154 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:820:9
#30 0x7fd6f8d52939 in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1024:7
#31 0x7fd6f9bd218e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7583:5
#32 0x7fd6f9bcdfd4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7387:7
#33 0x7fd6f9bd564f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7284:13
#34 0x7fd6f3e09500 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
previously allocated by thread T0 (Web Content) here:
#0 0x4b24ab in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e0d9d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7fd6f4db0358 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7fd6f4db0358 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/PresShell.h:87
#4 0x7fd6f4db0358 in nsDocument::doCreateShell(nsPresContext*, nsViewManager*, mozilla::StyleSetHandle) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:3605
#5 0x7fd6f70611a7 in nsHTMLDocument::CreateShell(nsPresContext*, nsViewManager*, mozilla::StyleSetHandle) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:275:10
#6 0x7fd6f8d4b8d1 in nsDocumentViewer::InitPresentationStuff(bool) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:660:16
#7 0x7fd6f8d4b1b8 in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:915:10
#8 0x7fd6f8d4a317 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:644:10
#9 0x7fd6f9bcb732 in nsDocShell::SetupNewViewer(nsIContentViewer*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9351:7
#10 0x7fd6f9bc9e39 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7208:17
#11 0x7fd6f9bd862a in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8064:14
#12 0x7fd6f9b77003 in nsDocShell::EnsureContentViewer() /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7933:17
#13 0x7fd6f9babb77 in GetDocument /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4523:3
#14 0x7fd6f9babb77 in non-virtual thunk to nsDocShell::GetDocument() /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4521
#15 0x7fd6f4b1d983 in MaybeCreateDoc /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:3821:38
#16 0x7fd6f4b1d983 in GetDoc /home/worker/workspace/build/src/obj-firefox/dist/include/nsPIDOMWindow.h:185
#17 0x7fd6f4b1d983 in EnsureInnerWindow /home/worker/workspace/build/src/obj-firefox/dist/include/nsPIDOMWindow.h:888
#18 0x7fd6f4b1d983 in WrapObject /home/worker/workspace/build/src/dom/base/nsGlobalWindow.h:305
#19 0x7fd6f4b1d983 in non-virtual thunk to nsGlobalWindow::WrapObject(JSContext*, JS::Handle<JSObject*>) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.h:303
#20 0x7fd6f391c69c in XPCConvert::NativeInterface2JSObject(JS::MutableHandle<JS::Value>, nsIXPConnectJSObjectHolder**, xpcObjectHelper&, nsID const*, bool, nsresult*) /home/worker/workspace/build/src/js/xpconnect/src/XPCConvert.cpp:784:16
#21 0x7fd6f391a5b3 in XPCConvert::NativeData2JS(JS::MutableHandle<JS::Value>, void const*, nsXPTType const&, nsID const*, nsresult*) /home/worker/workspace/build/src/js/xpconnect/src/XPCConvert.cpp:344:16
#22 0x7fd6f39c6332 in GatherAndConvertResults /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1600:18
#23 0x7fd6f39c6332 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1394
#24 0x7fd6f39c6332 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1350
#25 0x7fd6f39cd7af in GetAttribute /home/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1877:17
#26 0x7fd6f39cd7af in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1179
#27 0x7fd6fcbf885c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#28 0x7fd6fcbf885c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457
#29 0x7fd6fcc7c071 in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:10
#30 0x7fd6fcc7c071 in CallGetter /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635
#31 0x7fd6fcc7c071 in CallGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1809
#32 0x7fd6fcc06b3f in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1857:10
#33 0x7fd6fcc06b3f in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2084
#34 0x7fd6fcc06b3f in NativeGetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2118
#35 0x7fd6fcc06b3f in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1523
#36 0x7fd6fcc06b3f in GetProperty /home/worker/workspace/build/src/js/src/jsobj.h:844
#37 0x7fd6fcc06b3f in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4273
#38 0x7fd6fcbdcbbc in GetPropertyOperation /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:192:12
#39 0x7fd6fcbdcbbc in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2636
#40 0x7fd6fcbbd746 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:403:12
#41 0x7fd6fcbf8adc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:475:15
#42 0x7fd6fcbf9192 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:10
#43 0x7fd6fc6cbe02 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2771:12
#44 0x7fd6f39a95b7 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1211:23
#45 0x7fd6f2154326 in PrepareAndDispatch /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:122:14
#46 0x7fd6f21532f6 in SharedStub (/home/nils/MonkeyFarm/firefox/libxul.so+0x1f872f6)
#47 0x7fd6fa581ef8 in nsBrowserStatusFilter::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/toolkit/components/statusfilter/nsBrowserStatusFilter.cpp:172:16
#48 0x7fd6f3e09500 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/layout/base/PresShell.cpp:4171:27 in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush)
Shadow bytes around the buggy address:
0x0c2e8002d260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8002d270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8002d280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e8002d290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8002d2a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e8002d2b0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8002d2c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8002d2d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8002d2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c2e8002d2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e8002d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24239==ABORTING
|
||
Comment 1•8 years ago
|
||
Olli, is this something you could look at? The free looks like it is the kungFuDeathGrip on line 4067 going away, and the use is mIsDestroying later on like 4171. Maybe the kungfu death grip just needs to be hoisted to the outer level of the function? The SVG in the test case is weird, but maybe it is just somehow getting didLayoutFlush to be true so we touch the member variable after the scope of the death grip.
Flags: needinfo?(bugs)
Keywords: csectype-uaf,
sec-critical
|
|
||
Comment 2•8 years ago
|
||
This code looks old, so I'm going to just assume it affects everything.
status-firefox50:
--- → affected
status-firefox51:
--- → affected
status-firefox52:
--- → affected
status-firefox-esr45:
--- → affected
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → bugs
Flags: needinfo?(bugs)
|
|
Assignee | |
Comment 3•8 years ago
|
||
Attachment #8817289 -
Flags: review?(continuation)
|
|
Assignee | |
Comment 4•8 years ago
|
||
Just trying to not addref/release when actually not needed.
|
|
||
Updated•8 years ago
|
Attachment #8817289 -
Flags: review?(continuation) → review+
|
|
||
Comment 5•8 years ago
|
||
The use is immediately after the free, without any user controllable code in the middle, and all it does is set some flags to true, so I'm skeptical that this is exploitable at all, but I guess I'll leave it at sec-high.
Keywords: sec-critical → sec-high
|
|
Assignee | |
Comment 6•8 years ago
|
||
Comment on attachment 8817289 [details] [diff] [review] flush_layout.diff [Security approval request comment] How easily could an exploit be constructed based on the patch? I think not easily. It isn't even quite clear whether an exploit could be constructed. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Commit message could be "Bug 1322107, scope local presshell variable in less error prone way, r=mccr8" Which older supported branches are affected by this flaw? all Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Will upload esr45 patch in a minute. Needs separate patch since some other code around the patch has changed. How likely is this patch to cause regressions; how much testing does it need? super safe
Attachment #8817289 -
Flags: sec-approval?
Attachment #8817289 -
Flags: approval-mozilla-esr45?
Attachment #8817289 -
Flags: approval-mozilla-beta?
Attachment #8817289 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 7•8 years ago
|
||
|
||
Updated•8 years ago
|
tracking-firefox51:
--- → +
tracking-firefox52:
--- → +
tracking-firefox53:
--- → +
tracking-firefox-esr45:
--- → 51+
|
|
||
Comment 8•8 years ago
|
||
Comment on attachment 8817289 [details] [diff] [review] flush_layout.diff sec-approval and a=dveditz to land on aurora and beta
Attachment #8817289 -
Flags: sec-approval?
Attachment #8817289 -
Flags: sec-approval+
Attachment #8817289 -
Flags: approval-mozilla-esr45?
Attachment #8817289 -
Flags: approval-mozilla-beta?
Attachment #8817289 -
Flags: approval-mozilla-beta+
Attachment #8817289 -
Flags: approval-mozilla-aurora?
Attachment #8817289 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 9•8 years ago
|
||
Comment on attachment 8817825 [details] [diff] [review] esr45 a=dveditz for esr45
Attachment #8817825 -
Flags: approval-mozilla-esr45+
|
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
|
||
Comment 10•7 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/e4c3aa050fde62052b403ef50342747202f7e1e9
Flags: in-testsuite?
https://hg.mozilla.org/mozilla-central/rev/e4c3aa050fde
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
|
|
||
Updated•7 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Comment 12•7 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/0cd75d95f3c0
|
|
||
Comment 13•7 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/73f6920fed06
|
|
||
Comment 14•7 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr45/rev/d6c6f5e4e641
|
||
Updated•7 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
|
||
Updated•7 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main51+][adv-esr45.7+]
|
|
||
Updated•7 years ago
|
Alias: CVE-2017-5380
|
|
||
Comment 15•7 years ago
|
||
Hi Nils, can you take a look at this one as well and confirm that we've fixed it? Thanks.
Flags: needinfo?(nils)
|
Reporter | |
Comment 16•7 years ago
|
||
Hi Matt, I can confirm that the testcase does not crash anymore on a recent ASAN build.
Flags: needinfo?(nils)
|
|
||
Comment 17•7 years ago
|
||
(In reply to Nils from comment #16) > Hi Matt, I can confirm that the testcase does not crash anymore on a recent > ASAN build. Excellent, thank you Nils.
Status: RESOLVED → VERIFIED
|
||
Comment 18•7 years ago
|
||
Reproduced the bug on an affected ASAN build (53.0a1, 20161204150411) with the testcase from Comment 0, using Ubuntu 16.04 x64. This is verified fixed on: - 45.7esr (ASAN, 20170118123525) - 51.1.0 (ASAN, 20170125043835) - 52.0b1 (ASAN, 20170124174548) * Note that regular builds did not show this issue in the first place and the latest regular ones are not showing it either. * Updating the firefox53 status flag as well, per Comment 16.
|
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•